“The Apache Darkleech attack has been in the news for quite some time now,” said Zscaler’s Krishnan Subramanian. “The first compromise that we identified in our transactions dates back to mid-March. This Darkleech exploit (aka Linux.Cdorked) injects malicious redirections into a website that leads to a Blackhole exploit kit (BEK) landing page.

“We are currently observing a considerable rise in websites being compromised due to this attack. The infected websites redirect to a version of the BEK version 2.”

Subramanian said the complex nature of the attack’s exploit method makes it difficult to know exactly how many sites have been affected, making tracking and combating the threat a difficult task.

“The exploit code targets vulnerabilities in multiple plugins including Adobe PDF and Java when run on IE, causing the attacker to load malicious code in the context of the application. When deobfuscating the PDF exploit, we can see the final URL used for redirection. However, this URL was not accessible (404 error response) at the time of writing, hence it was not possible to retrieve the malicious binary file,” Subramanian said.

“Upon revisiting some of these compromised websites, it was found that the page was no longer serving the injected code. This provides a clue. The attackers probably choose random sites running the Apache Webservers that are vulnerable to the Darkleech exploit and infect them only for a brief period of time and then clean them up. Hence tracking Darkleech infections can be a challenging task.”

The attack already infected thousands of websites when researchers first uncovered it earlier this year. Subramanian said businesses or website owners worried their site has suffered an infection should contact their Apache server host to ensure they have installed the CVE-2012-1557 security patch to fix the flaw.